GitHub removes researcher’s Exchange Server exploit, sparking industry debate
Microsoft-owned GitHub has removed a security researcher’s proof-of-concept exploit for vulnerabilities in Microsoft software that are at the center of widespread malicious cyber activity.
The decision immediately touched off debate in the cybersecurity industry over when researchers should refrain from releasing software exploits and how software repositories like GitHub should govern their users.
It’s an unusually sensitive situation: A slew of Chinese state-linked hackers have already exploited the flaws in Exchange Server, a popular email software, and analysts fear cybercriminals could be not far behind in abusing the bugs. And now the concern for some security analysts is that researcher Nguyen Jang’s release of a proof-of-concept exploit could enable additional malicious attackers to exploit the flaws. Nguyen defended the decision by saying it would prompt organizations to patch.
A GitHub spokesperson said it removed the code because it violated the platform’s policy against uploading “active” software exploits.
“We understand that the publication and distribution of proof-of–concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe,” the GitHub spokesperson said.
“In accordance with our Acceptable Use Policies, we disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited,” the GitHub statement continued.
But Katie Moussouris, CEO of Luta Security, argued that proof-of-concept exploit code can be the incentive that organizations need to apply software patches. Other analysts countered that some small organizations do not have the resources to quickly apply those fixes.
The Record first reported on the proof-of-concept exploit code.
The GitHub spokesperson did not respond when asked how long the exploit code was available on the platform.
Some security experts said that it is not a zero-sum issue — that researchers could explore the exploits without going public with them. Matt Graeber, director of research at security firm Red Canary, urged researchers to refrain from releasing exploit code and instead recommend defensive measures based on their knowledge of the exploit.
As debates over security research ethics rage on, so, too, do the compromises of organizations running vulnerable Exchange Server software. The FBI said Wednesday that all 56 of its field offices were investigating malicious Exchange Server activity.